Thursday, May 11, 2017

Contaminating Evidence FIVE

To refresh, these discussions (links at foot of this article) originated because someone asked a question e.g. should I put a seized damaged SIM card into a seized mobile phone (handset), where both items have been found placed into the same Exhibit bag? The discussions have been to highlight helpful observations about what can be involved and learning the lesson to keep a damaged SIM card separate from the handset and conduct tests independently from combined forensic suites; hence the need for Test A Damaged SIM Card SOP.

Yes, you can run a test single APDU (application protocol data unit) command to select particular data from a SIM card, as you can run a script containing multiple test APDU commands. For example, what follows is an example of multiple APDU command to SELECT and GET RESPONSE  from the SIM card requesting the SIM's IMSI (international mobile subscriber identity). Invariably, investigating officers and security may only require just that little piece of information; and whether extracted and harvested from a working SIM or a damaged SIM. Where a damaged SIM Card is involved it wont be clear at the initial examination stage whether (a) the SIM will respond to any test or fully-blown image? and (b) if it does, could there be only chance to retrieve any data from it (the card)?

APDU Commands
We know that the standards identify commands as follows and therefore these would most likely assist the examiner when reading the SOP. Remember in part FOUR it referred to the SOP should assist examiners by identifying the short form title and clause. So here is one exercise you can do now. Go and download ETSI GSM11.11 (Release R1999) and 3GPP TS 31.102 latest release and identify the short form title and clauses relevant to the APDU commands below:

- Select
- VerifyCHV
- ReadBinary
- ReadRecord
- UpdateBinary
- UpdateRecord
- Status

Test APDU - IMSI Request
The next step is to select and chosen the statements needed to issue commands for the SIM card to reveal the IMSI:

- 2GMode
- Select 3F00
- Select 7F20
- Select 6F07
- ReadBinary

USIM Commander GUI Image

The IMSI has been doctored in the above image for privacy and security reasons. However, the three windows panes above illustrate how to validate commands issued to a damaged SIM card. The left pane shows the commands. the top right pane shows the status and harvested data of the commands issued. And the bottom right pane confirms the translated APDU trace and the Raw APDU trace. Thus proving the process and procedure the examiner adopted and applied during testing. This information can then be logged into the examiner's Contemporaneous Notes. 

Training and Discovery
Before jumping into conducting the tests, training and exposure to different types of SIM cards and their conditions should be the first priority. Even the best APDU scripters make mistakes. The screen images that follow illustrate mistake and correction (can you find the mistake?) and following that the importance of the learning curve an examiner needs, which is only possible base upon discovery using training SIM cards to see what might be revealed.
Examiner need to be encouraged to extend search investigation beyond the template. The images below, identifies CHV1 and CHV2 discovery might reveal. This discovery helps examiners to uncover if unknown CHV1 and CHV2 can be revealed.

Contaminating Evidence ONE  -
Contaminating Evidence TWO -
Contaminating Evidence THREE  -

Contaminating Evidence FOUR - 

No comments: